US8776252B2 - System, method, and computer program product for securing data on a server based on a heuristic analysis - Google Patents

System, method, and computer program product for securing data on a server based on a heuristic analysis Download PDF

Info

Publication number
US8776252B2
US8776252B2 US13/631,843 US201213631843A US8776252B2 US 8776252 B2 US8776252 B2 US 8776252B2 US 201213631843 A US201213631843 A US 201213631843A US 8776252 B2 US8776252 B2 US 8776252B2
Authority
US
United States
Prior art keywords
data
access
attempts
server
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US13/631,843
Other versions
US20130024943A1 (en
Inventor
Satish Kumar Gaddala
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
McAfee LLC
Original Assignee
McAfee LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by McAfee LLC filed Critical McAfee LLC
Priority to US13/631,843 priority Critical patent/US8776252B2/en
Publication of US20130024943A1 publication Critical patent/US20130024943A1/en
Application granted granted Critical
Publication of US8776252B2 publication Critical patent/US8776252B2/en
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC CHANGE OF NAME AND ENTITY CONVERSION Assignors: MCAFEE, INC.
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Assigned to MORGAN STANLEY SENIOR FUNDING, INC. reassignment MORGAN STANLEY SENIOR FUNDING, INC. SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST. Assignors: MCAFEE, LLC
Assigned to MORGAN STANLEY SENIOR FUNDING, INC. reassignment MORGAN STANLEY SENIOR FUNDING, INC. CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST. Assignors: MCAFEE, LLC
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045055/0786 Assignors: JPMORGAN CHASE BANK, N.A., AS COLLATERAL AGENT
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045056/0676 Assignors: MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT
Assigned to JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT reassignment JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Assigned to JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT reassignment JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT CORRECTIVE ASSIGNMENT TO CORRECT THE THE PATENT TITLES AND REMOVE DUPLICATES IN THE SCHEDULE PREVIOUSLY RECORDED AT REEL: 059354 FRAME: 0335. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: MCAFEE, LLC
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic

Definitions

  • the present invention relates to securing data, and more particularly to securing data on a server.
  • system administrators are generally granted full access to data within an associated administrated network, many times including confidential data directed toward specific users, like their mail data.
  • access to a network user's data is sometimes secured using a unique user identifier that is particular to the user, such that unauthorized compromise of such identifier may result in full access to the user's potentially private and/or confidential data.
  • a system, method, and computer program product are provided for securing data on a server based on a heuristic analysis.
  • information associated with attempts to access data on a server is recorded. Additionally, the information is heuristically analyzed. Further, the data is secured on the server based on the heuristic analysis.
  • FIG. 1 illustrates a network architecture, in accordance with one embodiment.
  • FIG. 2 shows a representative hardware environment that may be associated with the servers and/or clients of FIG. 1 , in accordance with one embodiment.
  • FIG. 3 shows a method for securing data on a server based on a heuristic analysis, in accordance with one embodiment.
  • FIG. 4 shows a method for taking action is response to a determination that information associated with an attempt to access data on a server is suspicious, in accordance with another embodiment.
  • FIG. 1 illustrates a network architecture 100 , in accordance with one embodiment.
  • a plurality of networks 102 is provided.
  • the networks 102 may each take any form including, but not limited to a local area network (LAN), a wireless network, a wide area network (WAN) such as the Internet, peer-to-peer network, etc.
  • LAN local area network
  • WAN wide area network
  • peer-to-peer network etc.
  • servers 104 which are capable of communicating over the networks 102 .
  • clients 106 are also coupled to the networks 102 and the servers 104 .
  • Such servers 104 and/or clients 106 may each include a desktop computer, lap-top computer, hand-held computer, mobile phone, personal digital assistant (PDA), peripheral (e.g. printer, etc.), any component of a computer, and/or any other type of logic.
  • PDA personal digital assistant
  • peripheral e.g. printer, etc.
  • any component of a computer and/or any other type of logic.
  • at least one gateway 108 is optionally coupled therebetween.
  • FIG. 2 shows a representative hardware environment that may be associated with the servers 104 and/or clients 106 of FIG. 1 , in accordance with one embodiment.
  • Such figure illustrates a typical hardware configuration of a workstation in accordance with one embodiment having a central processing unit 210 , such as a microprocessor, and a number of other units interconnected via a system bus 212 .
  • a central processing unit 210 such as a microprocessor
  • the workstation shown in FIG. 2 includes a Random Access Memory (RAM) 214 , Read Only Memory (ROM) 216 , an I/O adapter 218 for connecting peripheral devices such as disk storage units 220 to the bus 212 , a user interface adapter 222 for connecting a keyboard 224 , a mouse 226 , a speaker 228 , a microphone 232 , and/or other user interface devices such as a touch screen (not shown) to the bus 212 , communication adapter 234 for connecting the workstation to a communication network 235 (e.g., a data processing network) and a display adapter 236 for connecting the bus 212 to a display device 238 .
  • a communication network 235 e.g., a data processing network
  • display adapter 236 for connecting the bus 212 to a display device 238 .
  • the workstation may have resident thereon any desired operating system. It will be appreciated that an embodiment may also be implemented on platforms and operating systems other than those mentioned.
  • One embodiment may be written using JAVA, C, and/or C++ language, or other programming languages, along with an object oriented programming methodology.
  • Object oriented programming (OOP) has become increasingly used to develop complex applications.
  • FIG. 3 shows a method 300 for securing data on a server based on a heuristic analysis, in accordance with one embodiment.
  • the method 300 may be carried out in the context of the architecture and environment of FIGS. 1 and/or 2 . Of course, however, the method 300 may be carried out in any desired environment.
  • the data may include any data capable of being stored on the server.
  • the data may include an electronic mail (email) message, an access control list (e.g. associated with a database, computer program, other data stored on the server, etc), a file, a computer program, a database, etc.
  • the data may be particular to a user.
  • the data may be private with respect to the user (e.g. personal data, etc.), confidential with respect to the user, etc.
  • the data may optionally only be accessible utilizing identification data (e.g. a unique identifier, etc.) associated with the user.
  • identification data e.g. a user id file, etc.
  • the identification data may be created during registration of the user in connect on with the server.
  • the identification data may include an identification file unique to the user.
  • Such identification file may include, in one embodiment, a private key, such that the private key may be associated with a public key for accessing the data particular to the user.
  • the identification file may be stored on a client (e.g. personal computer, handheld device, any of the devices described above with respect to FIGS. 1 and/or 2 , etc.) utilized by the user, such that, in response to a request issued by the user utilizing the client to access the data, the client may be verified based on the identification file stored thereon.
  • the server on which the data is located may include any device capable of storing data.
  • the server may include any of the devices described above with respect to FIGS. 1 and/or 2 .
  • the server may include a particular type of server (e.g. application server, web server, database server, etc.) capable of providing a custom application platform at an enterprise level.
  • the server may optionally provide email messaging functionality and/or any other desired applications for devices associated with an enterprise.
  • the server may be a IBM® Lotus® Domino® server, in one possible embodiment.
  • the attempts to access the data on the server may include any requests made with respect to the data, which may, but do not necessarily result in actual access to the data.
  • the attempts to access the data may include requests to open, read, write, modify, etc. the data on the server.
  • the attempts to access the data may also include an attempt to log on to the server.
  • the attempts to access the data on the server may be issued remotely.
  • the attempts may be issued by a client to the server over a network (e.g. such as any of the networks described above with respect to FIG. 1 ).
  • the attempts to access the data may be issued automatically.
  • the attempts may be issued by an application.
  • the attempts to access the data may be issued manually.
  • Such manual attempts may include, for example, user-initiated attempts.
  • the attempts to access the data may include an attempt to modify an access control list (ACL) initially.
  • the ACL may include, for example, a list of permissions associated with content (e.g. files, email messages, computer programs, etc) located local and/or remote with respect to the server on which the data is stored. Such permissions may include user permissions, which indicate access rights to content based on particular users. As another option, the permissions may include application and/or device permissions, which may indicate access rights to content based on particular applications (e.g. computer programs, etc.) and/or devices (e.g. computers, etc.), respectively. Also, modifying the ACL may optionally include modifying any of the permissions in the ACL.
  • the attempts to access the data may include an attempt by a first user to access data at least previously inaccessible to such first user (e.g. due to the fact that it was particular to a second user, etc.).
  • identification data previously utilized by the second user to access the data may be utilized by the first user to access the data.
  • the first user may attempt to access data particular to the second user utilizing such identification data associated with the second user.
  • the identification data may have previously been stored on a second computer utilized by the second user to access the data, and may thus be subsequently stored on a first computer utilized by the first user to access the data.
  • the attempts to access the data may include attempts to access data utilizing identification data that has changed locations.
  • the attempts to access the data may include an attempt by a first user and an attempt by a second user to access the same data simultaneously.
  • the second user may attempt to access data during access of such data by the first user.
  • access attempts are only examples of various attempts to access the data that may be made, and that the attempts to access the data may be performed in any desired.
  • the information associated with the attempts to access the data may include any information capable of describing, or being otherwise associated with such attempts.
  • the information may include a source of the attempts.
  • such source may identify a computer [e.g. by computer name, internet protocol (IP) address, etc.], a user, etc. which initiated the attempts.
  • IP internet protocol
  • the information may include a time associated with each of the attempts.
  • the information may describe the type of attempts, (e.g. open data, read data, modify data, etc.). Just by way of example, the information may describe an attempt to modify the data. In even still yet another embodiment, the information may indicate identification data utilized in attempting to access the data.
  • the information may be recorded in any desired data structure capable of storing the same.
  • the information may be recorded in a log file.
  • the log file may be of any desired size.
  • a number of entries of information stored in the log file may be predetermined (e.g. user configured, etc.)
  • such data structure may be stored on the server on which the data attempted to be accessed is located. To this end, information associated with attempts to access data on a server is recorded.
  • such information is heuristically analyzed.
  • analysis may include any heuristic analysis which utilizes recorded information associated with a plurality of attempts to access the data.
  • recorded information associated with a latest attempt to access the data may be analyzed with respect to recorded information associated with previous attempts to access the data.
  • characteristics, patterns, etc. may be identified from recorded information associated with a plurality of attempts to access the data, utilizing the heuristics analysis.
  • the heuristic analysis may include determining whether the information is suspicious. For example, a determination that the information is suspicious may indicate that the attempts to access the data are suspicious. Moreover, determining that the information is suspicious may optionally indicate that the data attempted to be accessed (for which the information was recorded) is at least potentially associated with data leakage. Such data leakage may include any unwanted and/or unauthorized disclosure, sharing, discovery, etc. of the data.
  • the characteristics, patterns, etc. identified from the information may indicate whether the information is suspicious.
  • such characteristics, patterns, etc. may be compared with thresholds for determining whether the information is suspicious.
  • it may be determined that the information is suspicious if the information indicates that access to the data has been attempted a threshold number of times.
  • threshold may include any predefined (e.g. user defined, automatically defined, etc.) threshold.
  • the information may be heuristically analyzed utilizing the server.
  • an application executing on the server may be utilized for heuristically analyzing the information.
  • the information may be heuristically analyzed remotely from the server.
  • the data is secured on the server based on the heuristic analysis, as shown in operation 306 .
  • the data may be secured on the server if it is determined that the information is suspicious, based on the heuristics analysis.
  • the data may be secured if at least potential data leakage is possible, based on the heuristic analysis.
  • an ACL may be secured if a predetermined number of modifications to an ACL, or a specific portion thereof, have been made via the attempts to access such ACL.
  • a database previously only accessed utilizing identification data stored on a first computer associated with a first user may be secured, if the database is subsequently accessed utilizing the same identification information which is stored on a second different computer associated with a second different user.
  • data being accessed by a first user may be secured with respect to access by a second user during such access by the first user.
  • the data may be secured by preventing access to the data, such that access may be prevented for a predefined (e.g. user defined, etc.) time period, until an administrator enables access, etc.
  • the data may be secured by notifying an administrator or a user (e.g. to which the data is particular), etc.
  • the data may be secured in any desired manner.
  • FIG. 4 shows a method 400 for taking action is response to a determination that information associated with an attempt to access data on a server is suspicious, in accordance with another embodiment.
  • the method 400 may be carried out in the context of the architecture and environment of FIGS. 1-3 . Of course, however, the method 400 may be carried out in any desired environment. It should also be noted that the aforementioned definitions may apply during the present description.
  • attempts to access data on a server are monitored.
  • such monitoring may be performed utilizing an application on the server.
  • the monitoring may be performed remotely from the server, utilizing, for example, a computer or network device that intercepts attempts to access data directed from clients and/or other servers to the server on which the data is located.
  • the information may be recorded in a log file to which information associated with other attempts to access the data has been recorded.
  • the log file may include information associated with a plurality of attempts to access the data.
  • the log file may include information associated with attempts to access other data on the server.
  • the log file may be configured (e.g. user-configured, etc.).
  • the information that is recorded in the log file may be selected based on the configuration. To this end, only desired information associated with the attempt to access the data may be recorded.
  • Table 1 illustrates one example of a log file in which information associated with attempts to access data on a server may be recorded. It should be noted that such log file is set forth for exemplary purposes only, and thus should not be construed as limiting in any manner.
  • each entry in the log file may indicate the particular data attempted to be accessed.
  • an identifier of a computer that initiated the attempt may be recorded, along with a time of the attempt.
  • the description of each log file entry may indicate the type of access attempted, as also shown. While not shown, it should be noted that a flag, or any other desired indicator, may be associated with each entry in the log file for indicating whether access to the data associated with the attempt was prevented, allowed, successful, etc., and optionally any actions taken in response thereto (e.g. notifications, etc.).
  • the information associated with the attempt to access the data is heuristically analyzed.
  • the heuristic analysis may include an analysis of the information with respect to any other information in the log file associated with another (e.g. previous) attempt to access the data. In this way, characteristics, patterns, etc. associated with attempts to access the data may be identified utilizing the heuristic analysis.
  • attempts to access data on the server are monitored (operation 402 ).
  • attempts to access data on the server may be continuously monitored. In this way, attempts to access data on the server may be monitored during a heuristic analysis of any identified attempts.
  • action is taken, as shown in operation 412 .
  • the action taken may be based on the type of access attempted. For example, if the access includes reading the data or opening the data, the action may include communicating a notification (e.g. alert, etc.) to an administrator, user, etc. In another example, if the access includes modifying the data, transmitting the data, deleting the data, etc., the action may include preventing the access or the attempted use/manipulation of the data.
  • the action taken may be based on the data attempted to be accessed. In this way, particular types of data may each be associated with different actions (e.g. based on user definitions, etc.). For example, if the access is associated with an ACL, the action may include preventing the access. As another example, if the access is associated with an email message, the action may include communicating a notification.
  • the action taken may be based on the characteristics, patterns, etc. identified by the heuristic analysis.
  • the action may include preventing an access to the ACL.
  • the action may include communicating a notification to the different user, an administrator, etc.
  • the action taken may be selected in any desired manner. Further, the action may include any desired action capable of being taken in response to a determination that the information is suspicious. To this end, data leakage may be prevented by taking action when information associated with an attempt to access the data is determined to be suspicious.
  • an attempt to modify an ACL is identified.
  • the modification may include changing permissions designated by the ACL, for example.
  • information associated with such attempt is recorded.
  • the information may include a source (e.g. computer, user, etc.) that initiated the attempt.
  • the recorded information is further heuristically analyzed.
  • the recorded information may be analyzed in view of other recorded information associated with other attempts to modify the ACL. Accordingly, a pattern of attempts to modify the ACL (e.g. by a particular computer, within a predetermined time period, etc.) may be identified.
  • an action may be taken to prevent the attempted modification to the ACL. In this way, in response to a determination that information associated with an attempt to modify an ACL is suspicious, such access may be prevented.
  • an attempt to log on to a server utilizing identification data is identified.
  • information associated with the attempt is recorded. Such information may identify a source of the attempt, the identification data, etc.
  • the information is heuristically analyzed.
  • Such heuristic analysis may include identifying previously recorded information associated with the identification data.
  • the heuristic analysis may include determining whether the identification data was associated with different sources, based on the identification of the previously recorded information. For example, information indicating that different sources utilized the identification data may signify that the information associated with the attempt to log on to the server is suspicious. Optionally, such signification may be based on whether the identification data was used intermittently between a pair, or more, different sources.
  • the heuristic analysis may be utilized for identifying at least potential data leakage by way of possible unauthorized use of identification data.
  • use of the identification data may be prevented (e.g. for all sources, for sources that do not include a source to which the identification data is registered, etc.)
  • a notification may be communicated to a user, computer, etc. registered to the identification data.
  • an attempt to access data on a server utilizing identification data is identified.
  • information associated with the attempt is recorded.
  • information may include a source of the attempt, the identification data utilized, etc.
  • the information may indicate a location of the identification data, based on the identified source.
  • the recorded information is also heuristically analyzed.
  • Such heuristic analysis may include determining previously stored information associated with the identification data. In this way, any other sources that utilized the identification data to access data on the server previous to the identified attempt may be identified. Additionally, the heuristic analysis may include determining whether any of such sources are different than the source associated with the identified attempt.
  • Identification of any differences may optionally indicate that the information is suspicious.
  • differences in sources utilizing the same identification data may indicate unauthorized use of the identification data by sources (e.g. via theft of such identification data, etc.) for illegitimately accessing data, such as potentially confidential data, associated therewith.
  • sources e.g. via theft of such identification data, etc.
  • this may not be deemed unauthorized use all of the time, as some users access the data from two or more different locations. Accordingly, the attempt to access the data may be prevented for avoiding potential leakage of the data.
  • identification data such as an identification file uniquely registered to a user, is compromised, access to data utilizing the identification data may be prevented.
  • an attempt to access data is identified.
  • information associated with the attempt is recorded.
  • information may include a source of the attempt.
  • the stored information is heuristically analyzed.
  • Such heuristic analysis may include determining whether any previously recorded information is associated with an access attempt with respect to the data.
  • determining whether any previously recorded information is associated with an access attempt with respect to the data may be identified.
  • only information recorded within a predetermined amount of time previous the identified attempt may be identified.
  • only information which indicates that the data is still being accessed based on a previous attempt may be identified.
  • the identified attempt to access the data may be prevented.
  • access to the same data by different sources simultaneously may be prevented.
  • access to such data may be allowed simultaneously, but notifications may be communicated to such sources.

Abstract

A system, method, and computer program product are provided for securing data on a server based on a heuristic analysis. In use, information associated with attempts to access data on a server is recorded. Additionally, the information is heuristically analyzed. Further, the data is secured on the server based on the heuristic analysis.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
This application is a continuation (and claims the benefit of priority under 35 U.S.C. §120) of U.S. application Ser. No. 11/762,545, filed Jun. 13, 2007, entitled “SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR SECURING DATA ON A SERVER BASED ON A HEURISTIC ANALYSIS”. The disclosure of the prior Application is considered part of and is incorporated by reference in the disclosure of this Application.
FIELD OF THE INVENTION
The present invention relates to securing data, and more particularly to securing data on a server.
BACKGROUND
Traditionally, security systems have been provided for securing data. Oftentimes, such data security is provided for preventing leakage of data (e.g. unwanted disclosure, sharing, etc. of data) outside of an organization. Recently, data leakage from within an organization has also been of concern.
For example, system administrators are generally granted full access to data within an associated administrated network, many times including confidential data directed toward specific users, like their mail data. As another example, access to a network user's data is sometimes secured using a unique user identifier that is particular to the user, such that unauthorized compromise of such identifier may result in full access to the user's potentially private and/or confidential data. There is thus a need for addressing these and/or other issues associated with the prior art.
SUMMARY
A system, method, and computer program product are provided for securing data on a server based on a heuristic analysis. In use, information associated with attempts to access data on a server is recorded. Additionally, the information is heuristically analyzed. Further, the data is secured on the server based on the heuristic analysis.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates a network architecture, in accordance with one embodiment.
FIG. 2 shows a representative hardware environment that may be associated with the servers and/or clients of FIG. 1, in accordance with one embodiment.
FIG. 3 shows a method for securing data on a server based on a heuristic analysis, in accordance with one embodiment.
FIG. 4 shows a method for taking action is response to a determination that information associated with an attempt to access data on a server is suspicious, in accordance with another embodiment.
 DETAILED DESCRIPTION
FIG. 1 illustrates a network architecture 100, in accordance with one embodiment. As shown, a plurality of networks 102 is provided. In the context of the present network architecture 100, the networks 102 may each take any form including, but not limited to a local area network (LAN), a wireless network, a wide area network (WAN) such as the Internet, peer-to-peer network, etc.
Coupled to the networks 102 are servers 104 which are capable of communicating over the networks 102. Also coupled to the networks 102 and the servers 104 is a plurality of clients 106. Such servers 104 and/or clients 106 may each include a desktop computer, lap-top computer, hand-held computer, mobile phone, personal digital assistant (PDA), peripheral (e.g. printer, etc.), any component of a computer, and/or any other type of logic. In order to facilitate communication among the networks 102, at least one gateway 108 is optionally coupled therebetween.
FIG. 2 shows a representative hardware environment that may be associated with the servers 104 and/or clients 106 of FIG. 1, in accordance with one embodiment. Such figure illustrates a typical hardware configuration of a workstation in accordance with one embodiment having a central processing unit 210, such as a microprocessor, and a number of other units interconnected via a system bus 212.
The workstation shown in FIG. 2 includes a Random Access Memory (RAM) 214, Read Only Memory (ROM) 216, an I/O adapter 218 for connecting peripheral devices such as disk storage units 220 to the bus 212, a user interface adapter 222 for connecting a keyboard 224, a mouse 226, a speaker 228, a microphone 232, and/or other user interface devices such as a touch screen (not shown) to the bus 212, communication adapter 234 for connecting the workstation to a communication network 235 (e.g., a data processing network) and a display adapter 236 for connecting the bus 212 to a display device 238.
The workstation may have resident thereon any desired operating system. It will be appreciated that an embodiment may also be implemented on platforms and operating systems other than those mentioned. One embodiment may be written using JAVA, C, and/or C++ language, or other programming languages, along with an object oriented programming methodology. Object oriented programming (OOP) has become increasingly used to develop complex applications.
Of course, the various embodiments set forth herein may be implemented utilizing hardware, software, or any desired combination thereof. For that matter, any type of logic may be utilized which is capable of implementing the various functionality set forth herein.
FIG. 3 shows a method 300 for securing data on a server based on a heuristic analysis, in accordance with one embodiment. As an option, the method 300 may be carried out in the context of the architecture and environment of FIGS. 1 and/or 2. Of course, however, the method 300 may be carried out in any desired environment.
As shown in operation 302, information associated with attempts to access data on a server is recorded. In the context of the present description, the data may include any data capable of being stored on the server. For example, the data may include an electronic mail (email) message, an access control list (e.g. associated with a database, computer program, other data stored on the server, etc), a file, a computer program, a database, etc.
Additionally, in one embodiment, the data may be particular to a user. For example, the data may be private with respect to the user (e.g. personal data, etc.), confidential with respect to the user, etc. To this end, the data may optionally only be accessible utilizing identification data (e.g. a unique identifier, etc.) associated with the user. As another option, the identification data (e.g. a user id file, etc.) may be created during registration of the user in connect on with the server.
Just by way of example, the identification data may include an identification file unique to the user. Such identification file may include, in one embodiment, a private key, such that the private key may be associated with a public key for accessing the data particular to the user. In addition, the identification file may be stored on a client (e.g. personal computer, handheld device, any of the devices described above with respect to FIGS. 1 and/or 2, etc.) utilized by the user, such that, in response to a request issued by the user utilizing the client to access the data, the client may be verified based on the identification file stored thereon.
Furthermore, the server on which the data is located may include any device capable of storing data. For example, the server may include any of the devices described above with respect to FIGS. 1 and/or 2. In one embodiment, the server may include a particular type of server (e.g. application server, web server, database server, etc.) capable of providing a custom application platform at an enterprise level. Optionally, the server ma optionally provide email messaging functionality and/or any other desired applications for devices associated with an enterprise. Just by way of example, the server may be a IBM® Lotus® Domino® server, in one possible embodiment.
Still yet, the attempts to access the data on the server may include any requests made with respect to the data, which may, but do not necessarily result in actual access to the data. For example, the attempts to access the data may include requests to open, read, write, modify, etc. the data on the server. Optionally, the attempts to access the data may also include an attempt to log on to the server. In one embodiment, the attempts to access the data on the server may be issued remotely. For example, the attempts may be issued by a client to the server over a network (e.g. such as any of the networks described above with respect to FIG. 1).
Additionally, the attempts to access the data may be issued automatically. For example, the attempts may be issued by an application. As another option, the attempts to access the data may be issued manually. Such manual attempts may include, for example, user-initiated attempts.
Moreover, in one embodiment, the attempts to access the data may include an attempt to modify an access control list (ACL) initially. The ACL may include, for example, a list of permissions associated with content (e.g. files, email messages, computer programs, etc) located local and/or remote with respect to the server on which the data is stored. Such permissions may include user permissions, which indicate access rights to content based on particular users. As another option, the permissions may include application and/or device permissions, which may indicate access rights to content based on particular applications (e.g. computer programs, etc.) and/or devices (e.g. computers, etc.), respectively. Also, modifying the ACL may optionally include modifying any of the permissions in the ACL.
In another embodiment, the attempts to access the data may include an attempt by a first user to access data at least previously inaccessible to such first user (e.g. due to the fact that it was particular to a second user, etc.). For example, identification data previously utilized by the second user to access the data may be utilized by the first user to access the data. In this way, the first user may attempt to access data particular to the second user utilizing such identification data associated with the second user.
As another example, the identification data may have previously been stored on a second computer utilized by the second user to access the data, and may thus be subsequently stored on a first computer utilized by the first user to access the data. Accordingly, the attempts to access the data may include attempts to access data utilizing identification data that has changed locations.
In yet another embodiment, the attempts to access the data may include an attempt by a first user and an attempt by a second user to access the same data simultaneously. For example, the second user may attempt to access data during access of such data by the first user. Of course, it should be noted that such access attempts are only examples of various attempts to access the data that may be made, and that the attempts to access the data may be performed in any desired.
With reference still to operation 302 of FIG. 3, the information associated with the attempts to access the data may include any information capable of describing, or being otherwise associated with such attempts. In one embodiment, the information may include a source of the attempts. For example, such source may identify a computer [e.g. by computer name, internet protocol (IP) address, etc.], a user, etc. which initiated the attempts.
In another embodiment, the information may include a time associated with each of the attempts. In still yet another embodiment, the information may describe the type of attempts, (e.g. open data, read data, modify data, etc.). Just by way of example, the information may describe an attempt to modify the data. In even still yet another embodiment, the information may indicate identification data utilized in attempting to access the data.
Also, the information may be recorded in any desired data structure capable of storing the same. For example, the information may be recorded in a log file. In one embodiment, the log file may be of any desired size. Optionally, a number of entries of information stored in the log file may be predetermined (e.g. user configured, etc.) In another embodiment, such data structure may be stored on the server on which the data attempted to be accessed is located. To this end, information associated with attempts to access data on a server is recorded.
As shown in operation 304, such information is heuristically analyzed. In the context of the present description, such analysis may include any heuristic analysis which utilizes recorded information associated with a plurality of attempts to access the data. Just by way of example, recorded information associated with a latest attempt to access the data may be analyzed with respect to recorded information associated with previous attempts to access the data. In this way, in some embodiments, characteristics, patterns, etc. may be identified from recorded information associated with a plurality of attempts to access the data, utilizing the heuristics analysis.
in one embodiment, the heuristic analysis may include determining whether the information is suspicious. For example, a determination that the information is suspicious may indicate that the attempts to access the data are suspicious. Moreover, determining that the information is suspicious may optionally indicate that the data attempted to be accessed (for which the information was recorded) is at least potentially associated with data leakage. Such data leakage may include any unwanted and/or unauthorized disclosure, sharing, discovery, etc. of the data.
For example, the characteristics, patterns, etc. identified from the information may indicate whether the information is suspicious. As an option, such characteristics, patterns, etc. may be compared with thresholds for determining whether the information is suspicious. Just by way of example, it may be determined that the information is suspicious if the information indicates that access to the data has been attempted a threshold number of times. Such threshold may include any predefined (e.g. user defined, automatically defined, etc.) threshold.
As an option, the information may be heuristically analyzed utilizing the server. For example, an application executing on the server may be utilized for heuristically analyzing the information. As another option, the information may be heuristically analyzed remotely from the server.
Still yet, the data is secured on the server based on the heuristic analysis, as shown in operation 306. In one embodiment, the data may be secured on the server if it is determined that the information is suspicious, based on the heuristics analysis. Thus, the data may be secured if at least potential data leakage is possible, based on the heuristic analysis.
Just by way of example, an ACL may be secured if a predetermined number of modifications to an ACL, or a specific portion thereof, have been made via the attempts to access such ACL. As another example, a database previously only accessed utilizing identification data stored on a first computer associated with a first user may be secured, if the database is subsequently accessed utilizing the same identification information which is stored on a second different computer associated with a second different user. In yet another example, data being accessed by a first user may be secured with respect to access by a second user during such access by the first user.
Additionally, in one embodiment, the data may be secured by preventing access to the data, such that access may be prevented for a predefined (e.g. user defined, etc.) time period, until an administrator enables access, etc. In another embodiment, the data may be secured by notifying an administrator or a user (e.g. to which the data is particular), etc. Of course, however, the data may be secured in any desired manner.
More illustrative information will now be set forth regarding various optional architectures and features with which the foregoing technique may or may not be implemented, per the desires of the user. It should be strongly noted that the following information is set forth for illustrative purposes and should not be construed as limiting in any manner. Any of the following features may be optionally incorporated with or without the exclusion of other features described.
FIG. 4 shows a method 400 for taking action is response to a determination that information associated with an attempt to access data on a server is suspicious, in accordance with another embodiment. As an option, the method 400 may be carried out in the context of the architecture and environment of FIGS. 1-3. Of course, however, the method 400 may be carried out in any desired environment. It should also be noted that the aforementioned definitions may apply during the present description.
As shown in operation 402, attempts to access data on a server are monitored. In one embodiment, such monitoring may be performed utilizing an application on the server. Of course, however, the monitoring may be performed remotely from the server, utilizing, for example, a computer or network device that intercepts attempts to access data directed from clients and/or other servers to the server on which the data is located.
In addition, it is determined whether an attempt to access the data on the server has been made. Note decision 404. In response to a determination that an access attempt has been made, information associated with the attempt is recorded, as shown in operation 406. Just by way of example, such information may include an identification of a source of the attempt, a time of the attempt, a description of the access type attempted, etc.
Optionally, the information may be recorded in a log file to which information associated with other attempts to access the data has been recorded. In this way, the log file may include information associated with a plurality of attempts to access the data. Also, the log file may include information associated with attempts to access other data on the server.
As another option, the log file may be configured (e.g. user-configured, etc.). For example, the information that is recorded in the log file may be selected based on the configuration. To this end, only desired information associated with the attempt to access the data may be recorded.
Table 1 illustrates one example of a log file in which information associated with attempts to access data on a server may be recorded. It should be noted that such log file is set forth for exemplary purposes only, and thus should not be construed as limiting in any manner.
TABLE 1
DATA SOURCE TIME DESCRIPTION
ACL_02 Computer_01 02:45:00 Attempt to Add
permission for
User_01 to access
File_05
User 5 mail Computer_05 02:40:00 Simultaneous
Database session opened from
Computer_04
ACL_02 Computer_01 02:39:00 Add permission
for User_01 to
access File_04
File_01 Computer_03 02:37:00 Read File_01
ACL_02 Computer_02 02:34:00 Delete permission
for User_02 to
access File_01
As shown in Table 1, each entry in the log file may indicate the particular data attempted to be accessed. In addition, with respect to each entry, an identifier of a computer that initiated the attempt may be recorded, along with a time of the attempt. The description of each log file entry may indicate the type of access attempted, as also shown. While not shown, it should be noted that a flag, or any other desired indicator, may be associated with each entry in the log file for indicating whether access to the data associated with the attempt was prevented, allowed, successful, etc., and optionally any actions taken in response thereto (e.g. notifications, etc.).
Furthermore, as shown in operation 408, the information associated with the attempt to access the data is heuristically analyzed. For example, the heuristic analysis may include an analysis of the information with respect to any other information in the log file associated with another (e.g. previous) attempt to access the data. In this way, characteristics, patterns, etc. associated with attempts to access the data may be identified utilizing the heuristic analysis.
Additionally, it is determined whether the information is suspicious, based on the heuristic analysis. Note decision 410. Such determination may be made based on predefined thresholds compared to results of the heuristic analysis, just by way of example. Still yet, a determination that the information is suspicious may indicate that the attempt to access the data is suspicious, that the data is at least potentially being subjected to data leakage, etc.
If it is determined that the information is not suspicious, further attempts to access data on the server are monitored (operation 402). Of course, however, attempts to access data on the server, as in operation 402, may be continuously monitored. In this way, attempts to access data on the server may be monitored during a heuristic analysis of any identified attempts.
If, however, it is determined that the information is suspicious, action is taken, as shown in operation 412. As an option, the action taken may be based on the type of access attempted. For example, if the access includes reading the data or opening the data, the action may include communicating a notification (e.g. alert, etc.) to an administrator, user, etc. In another example, if the access includes modifying the data, transmitting the data, deleting the data, etc., the action may include preventing the access or the attempted use/manipulation of the data.
As another option, the action taken may be based on the data attempted to be accessed. In this way, particular types of data may each be associated with different actions (e.g. based on user definitions, etc.). For example, if the access is associated with an ACL, the action may include preventing the access. As another example, if the access is associated with an email message, the action may include communicating a notification.
As yet another option, the action taken may be based on the characteristics, patterns, etc. identified by the heuristic analysis. In one embodiment, if the heuristic analysis determines that a predetermined number of modifications have been attempted to modify an ACL (e.g. within a predefined time period, etc.), the action may include preventing an access to the ACL. In another embodiment, if the heuristic analysis determines that identification data utilized in the attempt to access the data has previously been utilized by a different user, the action may include communicating a notification to the different user, an administrator, etc.
Of course, it should be noted that the action taken may be selected in any desired manner. Further, the action may include any desired action capable of being taken in response to a determination that the information is suspicious. To this end, data leakage may be prevented by taking action when information associated with an attempt to access the data is determined to be suspicious.
In one exemplary embodiment, an attempt to modify an ACL is identified. The modification may include changing permissions designated by the ACL, for example. In response to identification of the attempt, information associated with such attempt is recorded. As an option, the information may include a source (e.g. computer, user, etc.) that initiated the attempt.
The recorded information is further heuristically analyzed. For example, the recorded information may be analyzed in view of other recorded information associated with other attempts to modify the ACL. Accordingly, a pattern of attempts to modify the ACL (e.g. by a particular computer, within a predetermined time period, etc.) may be identified. In response to an indication that the information is suspicious (based on the heuristic analysis), an action may be taken to prevent the attempted modification to the ACL. In this way, in response to a determination that information associated with an attempt to modify an ACL is suspicious, such access may be prevented.
In another exemplary embodiment, an attempt to log on to a server utilizing identification data is identified. In response, information associated with the attempt is recorded. Such information may identify a source of the attempt, the identification data, etc.
Further, the information is heuristically analyzed. Such heuristic analysis may include identifying previously recorded information associated with the identification data. In addition, the heuristic analysis may include determining whether the identification data was associated with different sources, based on the identification of the previously recorded information. For example, information indicating that different sources utilized the identification data may signify that the information associated with the attempt to log on to the server is suspicious. Optionally, such signification may be based on whether the identification data was used intermittently between a pair, or more, different sources.
In this way, the heuristic analysis may be utilized for identifying at least potential data leakage by way of possible unauthorized use of identification data. In response to such situation, use of the identification data may be prevented (e.g. for all sources, for sources that do not include a source to which the identification data is registered, etc.) As other option, in response to the identification of potential data leakage, a notification may be communicated to a user, computer, etc. registered to the identification data.
In yet another exemplary embodiment, an attempt to access data on a server utilizing identification data is identified. In response, information associated with the attempt is recorded. For example, such information may include a source of the attempt, the identification data utilized, etc. Thus, the information may indicate a location of the identification data, based on the identified source.
Similar to the other example of use, the recorded information is also heuristically analyzed. Such heuristic analysis may include determining previously stored information associated with the identification data. In this way, any other sources that utilized the identification data to access data on the server previous to the identified attempt may be identified. Additionally, the heuristic analysis may include determining whether any of such sources are different than the source associated with the identified attempt.
Identification of any differences may optionally indicate that the information is suspicious. For example, differences in sources utilizing the same identification data may indicate unauthorized use of the identification data by sources (e.g. via theft of such identification data, etc.) for illegitimately accessing data, such as potentially confidential data, associated therewith. Of course, this may not be deemed unauthorized use all of the time, as some users access the data from two or more different locations. Accordingly, the attempt to access the data may be prevented for avoiding potential leakage of the data. To this end, in situations where identification data, such as an identification file uniquely registered to a user, is compromised, access to data utilizing the identification data may be prevented.
In still yet another exemplary embodiment, an attempt to access data is identified. In response, information associated with the attempt is recorded. In the context of the present exemplary embodiment, such information may include a source of the attempt.
Moreover, the stored information is heuristically analyzed. Such heuristic analysis may include determining whether any previously recorded information is associated with an access attempt with respect to the data. Optionally, only information recorded within a predetermined amount of time previous the identified attempt may be identified. As another option, only information which indicates that the data is still being accessed based on a previous attempt may be identified.
In this way, it may be determined whether the data associated with the access attempt is currently being accessed by another source. In response to such a scenario, the identified attempt to access the data may be prevented. In this way, access to the same data by different sources simultaneously may be prevented. As another option, access to such data may be allowed simultaneously, but notifications may be communicated to such sources.
While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.

Claims (30)

What is claimed is:
1. A method, comprising:
recording information associated with attempts to access data on a server, wherein the attempts are provided remotely over a network to which the server is coupled;
heuristically analyzing the information, which includes comparing a previous attempt to access the data with a latest attempt to access the data in order to identify a pattern associated with data leakage; and
securing the data on the server such that access to the data is prevented for a predefined period of time based on the pattern.
2. The method of claim 1, wherein the data includes a selected one of a group of elements, the group consisting of:
a) an electronic mail message;
b) an access control list;
c) certain data that is particular to a user; and
d) certain data that is accessible utilizing identification data associated with a user.
3. The method of claim 1, wherein an action to secure the data is determined based on a type of access attempted such that different actions are associated with different types of access attempts.
4. The method of claim 3, wherein at least one of the different actions includes securing an access control list based on a number of modifications to the access control list.
5. The method of claim 1, wherein the data is accessible using an identification file that comprises a private key that can be associated with a public key for accessing the data on the server.
6. The method of claim 1, wherein the information describes an attempt to modify the data and identifies an Internet protocol (IP) address associated with a source.
7. The method of claim 1, wherein the attempts include attempts to modify permissions in an access control list.
8. The method of claim 1, wherein the attempts to access the data include a first user attempting to access data particular to a second user.
9. The method of claim 8, wherein the attempts to access data particular to the second user utilizes identification data associated with the second user.
10. The method of claim 9, wherein the identification data includes an identification file.
11. The method of claim 1, wherein the attempts to access the data include an attempt by a first user and an attempt by a second user to access particular data at a substantially simultaneous time.
12. The method of claim 1, wherein heuristically analyzing the information includes determining if access to the data has been attempted a threshold number of times.
13. A server, comprising:
a processor coupled to a memory such that the server is configured to:
record information associated with attempts to access data on the server, wherein the attempts are provided remotely over a network to which the server is coupled;
analyze the information, which includes comparing a previous attempt to access the data with a latest attempt to access the data in order to identify a pattern associated with data leakage; and
secure the data on the server such that access to the data is prevented for a predefined period of time based on the pattern.
14. The server of claim 13, wherein the data includes a selected one of a group of elements, the group consisting of:
a) an electronic mail message;
b) an access control list;
c) certain data that is particular to a user; and
d) certain data that is accessible utilizing identification data associated with a user.
15. The server of claim 13, wherein an action to secure the data is determined based on a type of access attempted such that different actions are associated with different types of access attempts.
16. The server of claim 13, wherein at least one of the different actions includes securing an access control list based on a number of modifications to the access control list.
17. The server of claim 13, wherein the information describes an attempt to modify the data and identifies an Internet protocol (IP) address associated with a source.
18. The server of claim 13, wherein analyzing the information includes heuristically determining if access to the data has been attempted a threshold number of times.
19. A computer program product embodied on a non-transitory computer readable medium for:
recording information associated with attempts to access data on a server, wherein the attempts are provided remotely over a network to which the server is coupled;
heuristically analyzing the information, which includes comparing a previous attempt to access the data with a latest attempt to access the data in order to identify a pattern associated with data leakage; and
securing the data on the server such that access to the data is prevented for a predefined period of time based on the pattern.
20. The non-transitory computer readable medium of claim 19, wherein the data includes a selected one of a group of elements, the group consisting of:
a) an electronic mail message;
b) an access control list;
c) certain data that is particular to a user; and
d) certain data that is accessible utilizing identification data associated with a user.
21. The non-transitory computer readable medium of claim 19, wherein an action to secure the data is determined based on a type of access attempted such that different actions are associated with different types of access attempts.
22. The non-transitory computer readable medium of claim 21, wherein at least one of the different actions includes securing an access control list based on a number of modifications to the access control list.
23. The non-transitory computer readable medium of claim 19, wherein the data is accessible using an identification file that comprises a private key that can be associated with a public key for accessing the data on the server.
24. The non-transitory computer readable medium of claim 19, wherein the information describes an attempt to modify the data and identifies an Internet protocol (IP) address associated with a source.
25. The non-transitory computer readable medium of claim 19, wherein the attempts include attempts to modify permissions in an access control list.
26. The non-transitory computer readable medium of claim 19, wherein the attempts to access the data include a first user attempting to access data particular to a second user.
27. The non-transitory computer readable medium of claim 19, wherein the attempts to access data particular to the second user utilizes identification data associated with the second user.
28. The non-transitory computer readable medium of claim 20, wherein the identification data includes an identification file.
29. The non-transitory computer readable medium of claim 19, wherein the attempts to access the data include an attempt by a first user and an attempt by a second user to access particular data at a substantially simultaneous time.
30. The non-transitory computer readable medium of claim 19, wherein heuristically analyzing the information includes determining if access to the data has been attempted a threshold number of times.
US13/631,843 2007-06-13 2012-09-28 System, method, and computer program product for securing data on a server based on a heuristic analysis Active US8776252B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/631,843 US8776252B2 (en) 2007-06-13 2012-09-28 System, method, and computer program product for securing data on a server based on a heuristic analysis

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/762,545 US8281405B1 (en) 2007-06-13 2007-06-13 System, method, and computer program product for securing data on a server based on a heuristic analysis
US13/631,843 US8776252B2 (en) 2007-06-13 2012-09-28 System, method, and computer program product for securing data on a server based on a heuristic analysis

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/762,545 Continuation US8281405B1 (en) 2007-06-13 2007-06-13 System, method, and computer program product for securing data on a server based on a heuristic analysis

Publications (2)

Publication Number Publication Date
US20130024943A1 US20130024943A1 (en) 2013-01-24
US8776252B2 true US8776252B2 (en) 2014-07-08

Family

ID=46924915

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/762,545 Active 2029-09-08 US8281405B1 (en) 2007-06-13 2007-06-13 System, method, and computer program product for securing data on a server based on a heuristic analysis
US13/631,843 Active US8776252B2 (en) 2007-06-13 2012-09-28 System, method, and computer program product for securing data on a server based on a heuristic analysis

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US11/762,545 Active 2029-09-08 US8281405B1 (en) 2007-06-13 2007-06-13 System, method, and computer program product for securing data on a server based on a heuristic analysis

Country Status (1)

Country Link
US (2) US8281405B1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8281405B1 (en) 2007-06-13 2012-10-02 Mcafee, Inc. System, method, and computer program product for securing data on a server based on a heuristic analysis
US9635734B2 (en) * 2013-11-04 2017-04-25 The L.D. Kichler Co. Low voltage lighting power supply systems and methods
US20150235049A1 (en) * 2014-02-20 2015-08-20 International Business Machines Corporation Maintaining Data Privacy in a Shared Data Storage System
CN106789831B (en) * 2015-11-19 2020-10-23 阿里巴巴集团控股有限公司 Method and device for identifying network attack
US9674201B1 (en) 2015-12-29 2017-06-06 Imperva, Inc. Unobtrusive protection for large-scale data breaches utilizing user-specific data object access budgets
US9674202B1 (en) * 2015-12-29 2017-06-06 Imperva, Inc. Techniques for preventing large-scale data breaches utilizing differentiated protection layers

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5845067A (en) 1996-09-09 1998-12-01 Porter; Jack Edward Method and apparatus for document management utilizing a messaging system
US5987610A (en) 1998-02-12 1999-11-16 Ameritech Corporation Computer virus screening methods and systems
US6073142A (en) 1997-06-23 2000-06-06 Park City Group Automated post office based rule analysis of e-mail messages and other data objects for controlled distribution in network environments
US20020078202A1 (en) 2000-12-15 2002-06-20 Tadanao Ando IP network system having unauthorized intrusion safeguard function
US6460050B1 (en) 1999-12-22 2002-10-01 Mark Raymond Pace Distributed content identification system
US20040008846A1 (en) 2002-07-10 2004-01-15 Alexander Medvinsky Method of preventing unauthorized distribution and use of electronic keys using a key seed
US20050246778A1 (en) 2004-04-23 2005-11-03 Viacheslav Usov Transparent encryption and access control for mass-storage devices
US20060179040A1 (en) * 2005-02-08 2006-08-10 International Business Machines Corporation Data leak protection system, method and apparatus
US20060225134A1 (en) 2005-03-31 2006-10-05 Conti Gregory R Method and system for detection and neutralization of buffer overflow attacks
US20070006322A1 (en) 2005-07-01 2007-01-04 Privamed, Inc. Method and system for providing a secure multi-user portable database
US20070011303A1 (en) 2005-07-11 2007-01-11 Fujitsu Limited Method and apparatus for tracing data in audit trail, and computer product
US20070061786A1 (en) 2004-05-04 2007-03-15 Ling Zhou Methods and apparatus for modifying process control data
US7206964B2 (en) 2002-08-30 2007-04-17 Availigent, Inc. Consistent asynchronous checkpointing of multithreaded application programs based on semi-active or passive replication
US20070094725A1 (en) 2005-10-21 2007-04-26 Borders Kevin R Method, system and computer program product for detecting security threats in a computer network
US20070150955A1 (en) * 2005-12-27 2007-06-28 Nec Corporation Event detection system, management terminal and program, and event detection method
US20070250920A1 (en) 2006-04-24 2007-10-25 Jeffrey Dean Lindsay Security Systems for Protecting an Asset
US20080082538A1 (en) * 2006-09-28 2008-04-03 Microsoft Corporation Access management in an off-premise environment
US7506155B1 (en) 2000-06-22 2009-03-17 Gatekeeper Llc E-mail virus protection system and method
US7603718B2 (en) 2005-03-31 2009-10-13 Microsoft Corporation Systems and methods for protecting personally identifiable information
US8281405B1 (en) 2007-06-13 2012-10-02 Mcafee, Inc. System, method, and computer program product for securing data on a server based on a heuristic analysis

Patent Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5845067A (en) 1996-09-09 1998-12-01 Porter; Jack Edward Method and apparatus for document management utilizing a messaging system
US6073142A (en) 1997-06-23 2000-06-06 Park City Group Automated post office based rule analysis of e-mail messages and other data objects for controlled distribution in network environments
US5987610A (en) 1998-02-12 1999-11-16 Ameritech Corporation Computer virus screening methods and systems
US6460050B1 (en) 1999-12-22 2002-10-01 Mark Raymond Pace Distributed content identification system
US7506155B1 (en) 2000-06-22 2009-03-17 Gatekeeper Llc E-mail virus protection system and method
US20020078202A1 (en) 2000-12-15 2002-06-20 Tadanao Ando IP network system having unauthorized intrusion safeguard function
US20040008846A1 (en) 2002-07-10 2004-01-15 Alexander Medvinsky Method of preventing unauthorized distribution and use of electronic keys using a key seed
US7206964B2 (en) 2002-08-30 2007-04-17 Availigent, Inc. Consistent asynchronous checkpointing of multithreaded application programs based on semi-active or passive replication
US20050246778A1 (en) 2004-04-23 2005-11-03 Viacheslav Usov Transparent encryption and access control for mass-storage devices
US20070061786A1 (en) 2004-05-04 2007-03-15 Ling Zhou Methods and apparatus for modifying process control data
US20060179040A1 (en) * 2005-02-08 2006-08-10 International Business Machines Corporation Data leak protection system, method and apparatus
US20060225134A1 (en) 2005-03-31 2006-10-05 Conti Gregory R Method and system for detection and neutralization of buffer overflow attacks
US7603718B2 (en) 2005-03-31 2009-10-13 Microsoft Corporation Systems and methods for protecting personally identifiable information
US20070006322A1 (en) 2005-07-01 2007-01-04 Privamed, Inc. Method and system for providing a secure multi-user portable database
US20070011303A1 (en) 2005-07-11 2007-01-11 Fujitsu Limited Method and apparatus for tracing data in audit trail, and computer product
US20070094725A1 (en) 2005-10-21 2007-04-26 Borders Kevin R Method, system and computer program product for detecting security threats in a computer network
US20070150955A1 (en) * 2005-12-27 2007-06-28 Nec Corporation Event detection system, management terminal and program, and event detection method
US20070250920A1 (en) 2006-04-24 2007-10-25 Jeffrey Dean Lindsay Security Systems for Protecting an Asset
US20080082538A1 (en) * 2006-09-28 2008-04-03 Microsoft Corporation Access management in an off-premise environment
US8281405B1 (en) 2007-06-13 2012-10-02 Mcafee, Inc. System, method, and computer program product for securing data on a server based on a heuristic analysis

Also Published As

Publication number Publication date
US20130024943A1 (en) 2013-01-24
US8281405B1 (en) 2012-10-02

Similar Documents

Publication Publication Date Title
US11741222B2 (en) Sandbox environment for document preview and analysis
US11645404B2 (en) System, method, and computer program product for preventing access to data with respect to a data access attempt associated with a remote data sharing session
US11632379B2 (en) Method and system for detecting restricted content associated with retrieved content
US9838349B2 (en) Zone classification of electronic mail messages
US8499152B1 (en) Data positioning and alerting system
US7890627B1 (en) Hierarchical statistical model of internet reputation
US8776252B2 (en) System, method, and computer program product for securing data on a server based on a heuristic analysis
US8286255B2 (en) Computer file control through file tagging
US20190289027A1 (en) Methods and Systems for Providing Security for Page Framing
US10708300B2 (en) Detection of fraudulent account usage in distributed computing systems
US11625469B2 (en) Prevention of organizational data leakage across platforms based on device status
US20130276120A1 (en) System, method, and computer program product for determining whether a security status of data is known at a server
US9268954B2 (en) System and method for role discovery
US20190019154A1 (en) Intelligent, context-based delivery of sensitive email content to mobile devices
JP2010026662A (en) Information leakage prevention system
US8701196B2 (en) System, method and computer program product for obtaining a reputation associated with a file
US20130247208A1 (en) System, method, and computer program product for preventing data leakage utilizing a map of data
US9635017B2 (en) Computer network security management system and method
US10826944B1 (en) Systems and methods for network security
Anwar et al. Guess who is listening in to the board meeting: on the use of mobile device applications as roving spy bugs
US20220366039A1 (en) Abnormally permissive role definition detection systems
US20230132611A1 (en) Abnormal classic authorization detection systems

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: CHANGE OF NAME AND ENTITY CONVERSION;ASSIGNOR:MCAFEE, INC.;REEL/FRAME:043665/0918

Effective date: 20161220

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551)

Year of fee payment: 4

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045055/0786

Effective date: 20170929

Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045056/0676

Effective date: 20170929

AS Assignment

Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:054206/0593

Effective date: 20170929

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:055854/0047

Effective date: 20170929

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045055/0786;ASSIGNOR:JPMORGAN CHASE BANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:054238/0001

Effective date: 20201026

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045056/0676;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT;REEL/FRAME:059354/0213

Effective date: 20220301

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT, NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:059354/0335

Effective date: 20220301

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT, NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE THE PATENT TITLES AND REMOVE DUPLICATES IN THE SCHEDULE PREVIOUSLY RECORDED AT REEL: 059354 FRAME: 0335. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:060792/0307

Effective date: 20220301